CVE-2016-8961 IBM CVE debrief

Who should care

Organizations running IBM BigFix Inventory or the related IBM License Metric Tool versions identified by NVD, plus security teams responsible for phishing resistance and web-link hygiene.

Technical summary

NVD classifies the flaw as CWE-601 (open redirect) with CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The attack requires user interaction: a victim must visit a specially crafted website or link that triggers a redirect from the IBM application to an attacker-controlled destination. NVD's CPE data marks IBM BigFix Inventory as vulnerable through 9.2 and IBM License Metric Tool 9.2.0.

Defensive priority

Medium

Recommended defensive actions

• Identify whether IBM BigFix Inventory 9.2 or IBM License Metric Tool 9.2.0 is deployed.
• Apply the IBM PSIRT/vendor remediation referenced by NVD for CVE-2016-8961.
• Review and restrict any features or links that redirect users to external destinations; prefer allowlists for approved domains.
• Warn users to verify destination domains before entering credentials after following product-generated links.
• Monitor for phishing lures that impersonate IBM BigFix Inventory or trusted internal portals.

Evidence notes

The debrief is based on the CVE description stating IBM BigFix Inventory v9 could be used for phishing via an open redirect, and on NVD metadata showing CWE-601, the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and affected CPE entries for IBM BigFix Inventory through 9.2 and IBM License Metric Tool 9.2.0. NVD also lists the IBM vendor advisory and a SecurityFocus entry as references.

Official resources